Registry Hives
What’s more fitting than to start this series with talking about hives?
What is a registry hive?
A registry hive is a database in the Windows Operating System that collects system and user generated information for configuration purposes. With this type of monitoring, one can track activities performed on the computer.
Structure
Registry hives are structured as a ‘tree’, where each branch of the tree is a ‘key’. And every tree branch has a leaf, which is referred to as a ‘subkey’ or a ‘value’ depending on the data type.
The following is a representation of the structure Registry Hive:
There are primarily five registry hives:
Registry Editor View:
Each hive also has supporting files, which would symbolize the branches of the tree. Below are the primary files [1]:
Registry Review:
The following steps are how to capture and review Registry Hive with the proprietary Windows format.
Capture:
On a running Windows System open Registry Editor
File -> Export -> Save as a Registration File (.reg).
Review:
Open Registry editor.
File -> Load Hive
Point to .reg file.
Location from a Windows Forensic Image:
C:\Windows\system32\config\
Digital Forensics Focus:
The following are helpful locations that have assisted in Digital Forensics investigations:
Conclusion
The Windows Registry Hive provides a valuable log of user generated information that can assist in an investigation. Depending on the type of investigation, you may find different parts of the registry hive to be beneficial. Therefore, if you are analyzing a Windows machine, take the time to review these hives - it may provide you with guidance and assistance in retracing user actions.
Reference Guide
If you would like a summary of this article, please check our reference guide for your review - Windows Registry Hive - Reference Guide
Reference
Msdn.microsoft.com. (2019). Registry Hives (Windows). [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx [Accessed 24 March 2023].